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Abstract 

We establish completeness for intuitionistic first- order logic, iFOL, showing that a formula is 
provable if and only if its embedding into minimal logic, mFOL, is uniformly valid under the 
■ Brouwer Heyting Kolmogorov (BHK) semantics, the intended semantics of iFOL and niFOL. 

Our proof is intuitionistic and provides an effective procedure Prf that converts uniform minimal 
evidence into a formal first-order proof. We have implemented Prf . Uniform validity is defined 
using the intersection operator as a universal quantifier over the domain of discourse and atomic 
predicates. Formulas of iFOL that are uniformly valid are also intuitionistically valid, but not 
\ conversely. Our strongest result requires the Fan Theorem; it can also be proved classically by 

showing that _fV/ terminates using Konig's Theorem. 
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■ The fundamental idea behind our completeness theorem is that a single evidence term evd wit- 

^ 1 \ nesses the uniform validity of a minimal logic formula F. Finding even one uniform realizer 

^ ■ guarantees validity because Prf{F, evd) builds a first-order proof of F, establishing its uniform 

^ I validity and providing a purely logical normalized realizer. 

^ We establish completeness for iFOL as follows. Friedman showed that iFOL can be embedded 

^ ■ in minimal logic (mFOL) by his A-transformation, mapping formula F to F^. If F is uniformly 

I valid, then so is F^, and by our completeness theorem, we can find a proof of F^ in minimal 

logic. Then we intuitionistically prove F from p^°-^'^'^ ^ i.e. by taking False for A and for _L of 
\ mFOL. Our result resolves an open question posed by Beth in 1947. 

d \ 

1 Introduction 

^ 1.1 Overview 

ixl 

. approaches to completeness We introduce a new approach to completeness questions. It 

! provides the first intuitionistic completeness proof for the intended semantics of intuitionistic logic, 

a question investigated by Beth [6] starting in 1947 and open ever sinceQ Our result provides an 
answer, however not the one expected by comparison with Godel's completeness proof for classical 
first-order logic. We briefly review previous completeness results below. 

We came to our approach because we use on a daily basis the fact that from constructive 
proofs of a theorem in computational type theory we can automatically extract programs that 
meet the specification given by the theorem. These polymorphically typed programs are evidence 
for validity of the theorem. For intuitionistic first-order logic (iFOL), a subtheory of type theory, 
the extracted programs are uniform witnesses for validity of the theorems. We call them uniform 
realizers. We can express this uniformity by a universal quantifier defined using the intersection 



^See Troelstra [48] where he states on page 12 "The standard informal interpretation of logical operators 
in intuitionistic logic is the so-called proof-interpretation or Brouwer-Heyting-Kolmogorov interpretation (BHK- 
interpretation for short)." Brouwer proposed several interpretations of negation (see 50 ), so minimal logic represents 
the stable intended core from which it is possible to explain the "ex falso quodlibet" rule as we show. 
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type in computational type theory [T]. Moreover for first-order logic we know that the realizers are 
not only uniform, but they are in normal form and consist entirely of logical operators. This is a 
basic fact about the extraction of computational content (see pTj [32]). 

In many cases we could see clearly the proof structure in the realizers. This led us to conjecture 
that iFOL is complete with respect to uniform semantics because uniformity eliminates terms 
that are not essentially built from the logical operators. It was a longer road to establish this 
in detail, and we report succinctly on that journey here, giving all of the technical details. In a 
longer forthcoming article we will provide more motivation, examples, and practical applications 
under the proposed title Intuitionistic Completeness of First- Order Logic with Respect to Uniform 
Evidence Semantics. There we also explicitly prove some of the basic results about extraction in 
the simple setting of iFOL. 

The common approach to first-order completeness is based on systematic search for counter 
examples to a conjecture, and validity of the conjecture is the reason the search fails - halting with 
a proof. This approach is well illustrated in Smullyan's enduringly valued monograph First- Order 
Logic |45j and Fitting's monograph [15], both going back to the work of Beth [6^ iTjJl Like all 
other classical proofs of completeness, these are not constructively valid. We take a very different 
approach, effectively converting uniform evidence for validity into a proof. We do this by building 
objects called evidence structures that reveal the evidence term layer by layer. For instance, when 
we see evidence of the form X{x.b{x)) for a formula A ^ B, then we add to the context of the 
evidence structure the assumption that x : A and continue by analyzing b{x) after normalizing it 
by symbolic computation. This computation reveals the operations that must be performed on the 
context to expose more of the evidence term b{x). For example, if the assumption A is Ai&lA2, 
then we decompose x into xi : Ai and X2 ■ A2 and substitute the pair < xi,X2 > into the logical 
operator mentioning x in the evidence term we are analyzing. Because the evidence is uniform, 
the normalization process eliminates any operators on non-logical terms. We can thus convert the 
operators on evidence terms to proof steps in first-order minimal logic. 

Our realizers are effectively computable functions operating on data types; we call this approach 
Brouwer realizability or evidence semantics. We do not rely on Church's Thesis for any of these 
results, and according to Kleene [231 HH], our use of the Fan Theorem precludes itH 

We hope that our results will add more weight to the notion that there is a deep connection 
between proving a theorem and writing a program. We have long stressed this idea in papers 
treating proofs as programs [U [3l [Tl] and conversely programs as proofs, additionally in papers 
treating formal constructive mathematics as a programming language [3 [H] where types subsume 
data types. Here we are treating iFOL as an abstract programming language where formulas are 
specifications given by dependent types. We build the proof from the program/data type which is 
a uniform Brouwer realizer. 

intuitionistic model theory This article contributes to an intuitionistic model theory as pro- 
posed by Beth in 1947 [6J and greatly advanced by Per Martin-Lof f32l I33j. Beth's methods led to 
Beth models and Kripke models whose computational meaning is not as strong as in the realizabil- 
ity tradition, even given Veldman's intuitionistic completeness theorem for Kripke models [51] • We 
work in the realizability tradition started by Kleene, developed further by Martin-Lof, extended 
and implemented by the PRL Group as reported in the book Implementing Mathematics [llj . by 
the Coq Group as reported in [5], the Gothenberg Group reported in the book Programming in 
Martin-Lof 's Type Theory |38j . the Minlog Group as reported in Proof Theory at Work: Program 
Development in the Minlog System |3], and in numerous doctoral dissertations and articles many 

^Beth invented semantic tableau as a bridge from semantics to proofs; we use uniform realizers and their evidence 
structures. 

^The Computational Type Theory which Nuprl implements was designed in 1984 to use an open-ended notion of 
effective computability from the start 



2 



of which are cited in [T]. This is the tradition framing and motivating our completeness results. 

The semantic tradition is grounded in precise knowledge of the underlying computation system 
and its efficient implementation made rigorous by researchers in programming languages. Our 
operational semantics of evidence terms follows the method of structured operational semantics of 
Plotkin [4H I42j . The few basic results about programming language semantics we mention can 
be found in the comprehensive textbooks on the subject \37\ I39j . Many results from this theory 
are now being formalized in proof assistants and applied directly to building better languages and 
systems [40]. 

1.2 Background 

Classical first-order logic, FOL Tarski's semantics [U] for classical first-order formulas faith- 
fully captures their intuitive truth-functional interpretation. Godel proved his classical completeness 
theorem for first-order logic with respect to this intended semantics, showing that an FOL formula 
is provable if and only if truth functionally valid. This has become a fundamental result in logic 
which is widely taught to undergraduates. There are many excellent textbook proofs such as |45j . 

Intuitionistic first-order logic, iFOL The BHK semantics for iFOL is the intended semantics, 
faithful to the intuitionistic conception of knowledge. In contrast to the classical situation, there 
has been no intuitionistic completeness proof with respect to the intended semantics. To explain 
this contrast, we look briefly at the origin of intuitionism. At nearly the same time that a truth- 
functional approach to logic was being developed by Frege [16] and Russell [H], circa 1907, Brouwer 
|19l [50] imagined a very different meaning for mathematical statements and thus for logic itself. 
Brouwer's meaning is grounded in the mental constructions that cause an individual mathematician 
to know that mathematical objects can be created with certain properties. 

Brouwer developed a very rich informal model of computation in terms of which he could inter- 
pret most concepts and theorems of mathematics, including from set theory (see ^50j). Brouwer's 
approach anticipated a precise meaning that Church, Turing, and now legions of computer scien- 
tists give to mathematical statements whose meaning is grounded in computations executed by 
modern digital computers. Brouwer's intuitive interpretation has come to be known among lo- 
gicians as Brouwer, Heyting, Kolmogorov (BHK) semantics when applied to formal intuitionistic 
logical calculi, as first done by Heyting [20] and Kolmogorov [Mj- In 1945 Kleene [221116] invented 
his realizahility semantics for intuitionistic number theory in order to connect Brouwer's informal 
notion of computability to the precise theory of partial recursive functions. He used indexes of 
general recursive functions as realizers, and by 1952 [21j he viewed realizability as a formal account 
of BHK semantics under the assumption of Church's Thesis. 

By 1982 Martin-Lof |32[ [33] building on the work of Kleene refined the BHK approach and 
raised it to the level of a semantic method for constructive logics grounded in structured operational 
semantics [42j . Martin-Lof often referres to BHK as the propositions as types principle. In computer 
science other terminology is "proofs as programs" or the "Curry-Howard isomorphism" . Already in 
1970 Martin-Lof proposed using Brouwer's analysis of bar induction as the meaning of H^ statements 
and developed a constructive version of completeness for classical first-order logic [31] based on a 
topological model of Borel sets in the Cantor Space. 

This semantics plays an important role in the business of building correct by construction soft- 
ware and in the semantics of the constructive logics such as Computational Type Theory (CTT) 
[UlIl], Intuitionistic Type Theory (ITT) [32l [331138], Intensional-ITT P [34ll38], the Calculus 
of Inductive Constructions (CIC)[5j, Minlog |1], and Logical Frameworks such as Edinburgh LF 
[18] . All of these logics are implemented by proof assistants such as Agda, Coq, MetaPRL, Minlog, 
Nuprl, and Twelfth among others. 
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Previous completeness theorems A constructive completeness theorem for iFOL with respect 
to intuitionistic validity is a very strong result because it says that if we know that a formula is 
valid, thus true in every possible model, then we can effectively find a first-order proof based on that 
knowledge. This seems highly unlikely as the sixty four year long investigation of the problem has 
shown. In all previous work, the idea is to try to construct a proof and use the evidence for truth 
to argue that the proof construction must succeed. Classically this requires Konig's Lemma, and 
constructively some use of Markov's Principle or the Fan Theorem or something of that kind. Those 
efforts do not try to use the information that \fA4 : Model. \= F to build the proof. Nevertheless, 
our results show exactly how to build the proof from uniform evidence for validity, which is a single 
object. Moreover, we can actually execute our result using a tactic executed by the Nuprl prover 
[TTl m [26]. We give that procedure in the Appendix. 

Over the last fifty years there have been numerous deep and evocative efforts to formulate 
completeness theorems for the intuitionistic propositional calculus and for intuitionistic first-order 
logic modeled after Godel's Theorem [131 El 113 ED ED ESj. Some efforts led to apparently more 
technically tractable semantic alternatives to BHK such as Beth models [71 El] , Kripke models [27] , 
topological models [12l [T71 HD jSl] , intuitionistic model theoretic validity [l9] , and provability 
logic [2j . Dummett [M] discusses completeness issues extensively. The value of developing a precise 
mathematical semantics for intuitionistic mathematics in the spirit of Tarski's work dates at least 
from Beth 1947 [6J with technical progress by 1957 [7j. So the completeness issue has been identified 
yet unsettled for sixty four years. An important early attempt to base completeness on BKH is 
the (nonconstructive) work of Lauchli [281 130j who stressed the notion of uniformity as important. 
None of these efforts provides a constructive completeness theorem faithful to BHK semantics 
(a.k.a. Brouwer realizability) either for the intuitionistic propositional calculus (IPC) or for the 
full predicate calculus. We do. 

The closest correspondingly faithful constructive completeness theorem for intuitionistic validity 
is by Friedman in 1975 (presented in [49]), and the closest classical proof for the Brouwer-Heyting- 
Kolmogorov (propositions as types/proofs as terms/proofs as programs) semantics for intuitionistic 
first-order logic is from 1998 by Artemov using provability logic [2j. Results suggest how delicate 
completeness theorems are since constructive completeness with respect to full intuitionistic validity 
contradicts Church's Thesis [251 149) and implies Markov's Principle as well [351 136] 



1.3 Summary of Results 

Results in this article We first review evidence semantics. H Using evidence semantics, we then 
introduce the idea of uniform validity, a concept central to our results and one that is also classically 
meaningful. This concept provides an effective tool for semantics because we can establish uniform 
validity by exhibiting a single polymorphic object. For example, the propositional formula A ^ A 
is uniformly valid exactly when there is an object in the intersection of all evidence types for this 
formula for each possible choice of A among the type of propositions, P. We write this intersection 
as y[A : F].A =;> A or as f]A:¥.A^ aE In this case, given the extensional equality of functions, 
the polymorphic identity function A(x.x) is the one and only object in the intersection. So the 
witness for uniform validity like the witness for provability, can be provided by a single objectlll 
Truth tables do this for classical propositional logic. Unlike for classical first-order logic, there are 



''Church's Thesis is not an issue for us because we do not assume it. 

^We can extend this semantics to classical logic if we allow oracle computations 10 to justify the law of excluded 
middle, PV ~P, with an operator magic{P). We make some observations about classical logic based on this classical 
evidence semantics. 

®We work in a predicative metatheory, therefore the type of all propositions is stratified into orders or levels, 
written Pi. For these results we can ignore the level of the type or just write Pi. 

'^Contrast this with the kind of evidence need for classical or intuitionistic model theoretic validity. In those cases, 
we need a whole class of models to witness validity of a single formula. 
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single witnesses for the validity of all uniformly valid first-order formulas; for example, it will be 
clear after we provide the evidence semantics that the polymorphic term X{h.X{x.X{p.h{< x,p >)))) 
establishes the uniform minimal (logic) validity of 

~ 3x.P{x) ^ Vx.(~P(x)) 

hence the uniform intuitionistic and classical validity as well. 

Another important observation about uniform validity is that the formulas of first- order logic 
that are provable intuitionistically and minimally are uniformly valid. It is also noteworthy that the 
law of excluded middle is not uniformly valid in either constructive or classical evidence semantics. 

Uniform validity also raises the semantic problem that forces us to consider minimal logic first. 
Consider the intuitionistically valid assertion False => A for any proposition A. One semantic 
object that witnesses uniform validity is \{x.x), and other witnesses for uniform validity include 
any constant functions, say X{x.l7) or even a diverging term such as div. The claim being made 
is that if X belongs to the evidence type for False, then 17 or div belongs to the evidence type 
for This claim is vacuously true since no element can be evidence for [False] whose evidence 
is the empty type. From the constant function with value 17, A(x.l7), we cannot reconstruct the 
proof. In minimal logic, we don't have the atomic propositional constant False, we use instead the 
arbitrary propositional constant _L whose interpretation allows non-empty types as well as empty 
ones. For the same reason, avoiding vacuous hypotheses, we require that all domains of discourse 
for minimal logic can be non-empty. 

Discussion Our results also suggest why completeness with respect to satisfiability in all con- 
structive models, let alone all intuitionistic models, is unlikely (even impossible according to Mc- 
Carty [35\ I36j): such completeness is unlikely because we show that provability captures exactly 
uniform validity, an intuitively smaller collection of formulas than those constructively valid. Never- 
theless, uniform validity is extremely useful in practice when thinking about purely logical formulas 
precisely because it corresponds exactly to proof and yet is an entirely semantic notion based on 
the intended BHK semantics, the semantics that enables strong connections to computer science. 

2 The main theorems 

Definition 1. A first order language C is a symbol D and a finite set of relation symbols {Ri\i € /} 
with given arities {ni\i € /}. First order formulas, T{C), over C are defined as usual. The variables 
in a formula (which range over D) are taken from a fixed set Var = {di\i € N}. Negation can 
be defined to be ip ^ False. The first order formulas of minimal logicn, MJ^{C), are the formulas 
in F{C) that do not use either negation or False. 

In type theory, the propositions, P, are identified with types. A non-empty type is a true 
proposition and members of the type are the evidence for the truth of the proposition. An empty 
type provides no evidence and represents a false proposition. 

Definition 2. A structure M for C is a mapping that assigns to D a type M{D) and assigns to 
each Ri a term of type M{D)^^ —> P. We write S{C) for the typ^^ of structures for C. If M ^ S{C) 
and X G M{D) then M[d := x] is an extended structure that maps the variable d to the term x. 

*We can use the fixed point combinator, say Y or fix to define div. For instance, fix{X{x.x)) computes to itself, 
where fix is an operator such as the Y combinator X{f.ap{X{x.ap{f;ap{x;x)));X{x.ap{f;ap{x;x))))). 

^The usual definition of minimal logic includes a designated constant _L and defines weak negation as tp =>±. We 
merely view _L as one of the atomic relation symbols Ri with arity = 0. 
Since we work in type theory we always use types rather than sets. 
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Definition 3. Given M G S{C) that has been extended to map the variables Vq C Var into M{D), 
we extend the mapping M to all formulas in J-{C) with free variables in Vq by: 

M{False) = Void 

M{Ri{vi,...,Vn,)) = M{Ri){M{vi),...,M{Vn,)) 

M(V'iAV'2) = M(V'i) X M(V'2) 

M(V'iVV'2) = M(V'i) + M(V'2) 

M(V'i ^ = M(^i) ^ M(V^2) 

M(^V) = Mill; =^ False) 

Miyv.i)) = x:D ^ {M[v:=x\){:ilj) 

M{3v. ip) = X -.D X {M[v := x]){i;) 

Thus, any M € S{C) assigns a type M{Tp) to a sentence (a formula with no free variables) ij: G ^{C-). 
M{ip) is synonymous with the proposition M \= iIj, and the members of type M{ip) are the evidence 
for M ^ V- 

Definition 4. A sentence ip G TiC) is valid if 

VM G S{C).M ^ 

Evidence for the validity of ^ is a function of type M : S{C) — > M{tp) that computes, for each 
M eSiC), evidence for M^tp. 

A sentence ip G J'{C) is uniformly valid if there is one term that is a member of all the types 
M(ip) for M G S{C). Such a term is a member of the intersection type 

n 

MeS{C) 

We write an intersection type ClxeT -^i-^) ^ proposition using the notation \/[x ■.T].P{x). The 
square brackets indicate that evidence for the proposition V[x : T].P{x) is uniform and does not 
depend on the choice of x. 
To summarize: 

i/j is valid = VM G S{C). M \= 
ip is uniformly valid^tp) = V[M ■.S{C)].M \= ip 

We write hjL ^p to say that there is a proof of ip in intuitionistic logic and V' to say that there 
is a proof of ip in minimal logic. From a proof in intuitionistic logic of any proposition we can con- 
struct evidence for the proposition. Automated proof assistants like Agda,Coq,MetaPRL,Minlog, 
and Nuprl can construct the evidence automatically. We observe, and can easily prove, that the 
evidence constructed from an intuitionistic proof of a first order formula ip G J~{jC) is actually 
evidence that ip is uniformly valid. Our main theorem states that for formulas of minimal logic the 
converse is also true: a uniformly valid formula is provable. 

Theorem 1. For any tp G M-T{C), 

V[M:5(/:)].M ^ ^ML^P. 

Using Friedman's ^-transformation [29], we can derive from Theorem [1] a corresponding com- 
pleteness theorem for intuitionistic logic. 

Corollary 1. For any ip G J~i^), 

y[M ■.S{£)].M ^iP^ ^ hiLip 
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Proof. By Theorem [T] it is enough to show 

(=>) If \-ML V'"^ then also hji for any interpretation of A inckiding False. It is easy to prove, 
by induction on the structure of that ijj^'^^^^ 4^ ip. 

(<^=) This is Friedman's Theorem. □ 

We win prove Theorem [1] by defining an effective procedure that builds a tree of evidence 
structures (defined below) starting with an initial evidence structure formed from the uniform 
evidence term. We show that any evidence structure is either trivial (and therefore a leaf of the 
ultimate minimal logic proof) or else can be transformed into a finite number (either one or two) 
of derived evidence structures, and the transformation tells us what rule of minimal logic to use at 
that step of the proof. 

Theorem [1] will then follow from the fact that this effective procedure must terminate and yield 
a finite proof tree. The termination of the procedure for an arbitrary term evd G nMe<S(£) -^(V') is 
a strong claim. The evidence need not be a fully-typed term with all of its subterms typed, so there 
can be sections of "dead code" in the evidence that are not typable and may not be normalizable. 
Nevertheless the fact that the evidence is uniformly in the type M{ip) implies that the "dead code" 
is irrelevant and our procedure will terminate, but the proof of this fact (which follows in classical 
logic from Konig's lemma) in intuitionistic mathematics seems to require Brouwer's Fan Theorem. 

If we assume that the uniform evidence term is fully normalized, then we can make a direct 
inductive argument for termination of our proof procedure. Since the evidence constructed from 
a proof in minimal logic is fully normalizable, this results in an alternate version of completeness 
that we state as follows 

Theorem 2. Any ip € MT{C) is provable in minimal logic (\~ml 4^) if <ind only if there is a fully 
normalized term evd in the type C\MeS{C) -^(V')- 

We work only in intuitionistic logic, so we must avoid the use of excluded middle for propositions 
that are not decidable and in particular we can not assume the proposition evd G M{'ip) is decidable. 
Because of this, we will need the concept that evidence term evd is consistent with the type M{G). 
One notion of consistency that is sufficent for our proof is that there is no structure M for which 
evd M{G). However, the resulting proof is logically more complex than the one we give below 
where consistency is based on interpeting the types in finitary structures. 

3 Finitary types and structures 

Definition 5. Types A and B are equipollent (written A ^ B) if there is a bijection f : A ^ B. 
A type T is finite i/ 3/c : N. T ~ Nfc (where is the type of numbers in the range < i < k). 

Note that if T is finite then equality in T is decidable and there is a list Lt that enumerates 
T, i.e. contains all the members of T with no repeats. Using Lt, any function f : T S can be 
converted to a table 

graph(/) = map(Ax.(x,/(x)), Lt) 
Using the decidable equality in T we can define a table lookup function and recover the function 

/ = loolcup(graph(/)) 

Definition 6. We write 1 1 to say that term t computes to a value (a canonical form). 
The bar type T is the type of all terms t such that {t J,) =^ (t € T). 
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A function f : Term T is strict if for all terms t 

if{t) i) (t i) 

A type T is a value type if every member of T converges to a value. 

A bar type T is not a value type, but even without bar types, a rich type theory that includes 
intersection types or quotient types will have some types that are not value types. 

Definition 7. A type T is a retract if there is a strict function ix of type Term T such that 

Vt : T.irit) =teT 

or equivalently 

iT = ide{T ^ T) 
A type T is finitary if it is a finite, value type and a retract. 

A structure M € S{C) is finitary if M{D) is finitary and the types M{Ri){di, . . . ,drn) assigned 
to the atomic formulas are finitary. 

We let abort be a fixed term that has no redex but is not a canonical form. For example abort 
could be 0(0) or true + 5 or a primitive. The term abort does not converge to a value. We use 
this to construct simple examples of finitary types. 

Example 1. The type is a finitary type. The retraction ifq^ is 

Xt.{ii < t k t < k then t else abort). 

Example 2. The type Unit with a single canonical member -k is a finitary type. The retraction is 

Ai.(if t == ★ then t else abort). 

These examples depend on the existence of primitive computations that recognize the canonical 
forms of the intended members of the type. We mention here some additional assumptions about the 
underlying computation system on which our proof of completeness depends. These assumptions 
are satisfied by the computation system used by Nuprl, but our proof could easily be modified to 
work for type theories based on different primitive computations. 

Assumption 1. The only primitive redex involving a pair (ti,t2) is 

spread((ti, t2); y.B{x, y)) ^ B{ti,t2) 
The only primitive redex involving inl t is 

decide(inl t; x.B{x);y.C{y)) ^ B{t) 
The only primitive redex involving inr t is 

decide(inr t;x.B{x);y.C{y)) C{t) 
The only primitive redex involving \x.B{x) is 

{Xx.B{x)){t) ^ B{t) 

^^For example, the computation system could have primitive projection functions tti and 7r2 rather than the spread 
primitive. It could have primitives for isl, outl, isr, and outr rather than the decide primitive. Our construction 
would be easily modified to accomodate such differences. 
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Lemma 1. If A and B are finitary then A + B is finitary. If A is finitary and for all a G A, B(a) 
is finitary then the types a -.A ^ B{a) and a -.Ax B{a) are both finitary. 

Proof. It is straightforward to prove that the types are finite, value types. The retraction maps i, 
j, and k ior A + B , a -.A ^ B{a), and a -.A x B{a) are 

i{t) = decide{t;x.iA{x);y.iB{y)) 
j{t) = lookup (graph (Aa (tia)))) 

k{t) = spread(t;x,?/.(Aa.(A6.(o,6))(vaHB(„)(y)))(vaHA(a;))) 

The operation /(valx) is a call-by-value apply, so for the retraction k{t) to converge, the term t 
must evaluate to a pair {x,y), the value a = iA^x) must converge, and the value b = iB[a)iy) must 
converge, before the pair (a, 6) ^ a:Ax B(a) is formed. 

□ 

Corollary 2. // M G S{C) is finitary and ip G J'i^) then M[ip) is finitary. 

Definition 8. We abbreviate {Xa.{a,y)){va.lx) as (valx, y). This operation forms a pair only after 

the first component has been evaluated. 

Definition 9. A term t is consistent with a retract type T if irit) G T or, equivalently, if irit) i • 
If A is a retract then a function f : A ^ B is tight if the domain of f contains only terms 
consistent with A, i.e. if for all terms t 

{fit) i) {iA{t) i). 

Lemma 2. /// has type A B and A is a retract, then there is a tight function f = f & {A ^ B). 

Proof. Let f' = foiA where iA is the retraction onto A. Since iA is the identity on A, we have 
f' = f€(A—^B). The domain of /' contains only terms in the domain of iA- Q 

Definition 10. For any a : Vq —?■ Tq that is an injection from a finite subset Vq C Var into a 
finitary type To we define a finitary C-structure Mtriv{cr) by 

M{D) = To 
M{v) = a{v) 
M(Ri) = Xxi, . . . jXrii-Unit. 

Lemma 3. For any G A4T{jC) with free variables in Vq, Mfriv \= V'- 

Proof. The structure Mtriv{cr) assigns to every atomic formula the non-empty type Unit. It is then 

clear that Mtriv{(^) assigns a non-empty type to every minimal logic formula and hence Mtriv \= "0- 
This would not be true for general first-order formulas that include negation and False. □ 

4 Evidence structures 

We will use the concept of an evidence structure to build a bridge between uniform evidence terms 
and proofs. An evidence structure will have three parts, a context H, a goal G, and evidence 
term evd. The context H will include some declarations of the form dj : D where di G Var (the 
variables in jF{C)), but it will also include declarations of the form Vi : A where A G MT{C) 

is a subformula of the orginal goal ip and Vi is a variable chosen from another set of variables 
Var' = Vq, vi , V2, ■ ■ ■ disjoint from Var = {dg, d^ , . . .}. The context H will also contain constraints 
of the form /(vald) = t where / G Var' and term i is a pattern over H. 
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Definition 11. Given a set H of variable declarations v :T, the set of patterns over H is the set 
of typed terms defined inductively by: 

1. Any V :T E H is a pattern. 

2. If ptni : A and ptn2 ■ B are patterns then the following are patterns: 

• {ptni,ptn2) : {A X B) 

• inl ptui ■.{A + B) 

• inr ptn2 :{A + B). 

Definition 12. A typing H over C is a list of declarations of one of the two forms: 

1. d :D where d G Var. 

2. V :A where v G Var' and A G MT{jC) such that every free variable d of A, is declared in H. 
A model M of H is a finitary structure for C extended so that for each v :T in H , M{v) € M{T). 
Definition 13. An implies constraint on a typing H is an equation 

Vi = constant (t) 

where Vi : A ^ B ^ H and t is a pattern of type B. The constraint is stratified if for any variable vj 
in pattern t, i < j. The constraint is unique in H if there is no other constraint Vi = constant(t') 
in H. A model M of H satisfies the constraint if M(vi) = \x.M{t) € (M(A) M{B)). 
A forall constraint is an equation 

t'i(val d) = t 

where d : D E H and for some formula P G M.T[C), vi -.Mz.P G H and t is a pattern of type 
P{d) over H . The constraint is stratified if for any variable Vj in pattern t, i < j. The constraint 
is unique in H if there is no other constraint fj(vald) = t' in H. A model M of H satisfies the 
constraint if M{vi){M{d)) = M{t) G M{P{d)). 

An evidence context H over C is a list of declarations and unique, stratified constraints such 
that the declarations are a typing over C and the constraints are constraints on that typing. M is 
a model of context H if it is a model of the typing H that satisfies all the constraints. We write 
M \= H to say that M is a model of context H; note that this means that M G S{C) and M is 
finitary. 

Definition 14. A model M \= H is tight if for every f :A B & H, the function M(f) is tight. 

We write M \=t H when M is tight. 

Lemma 4. Every evidence context H over L has a tight model. 

Proof. Let Vq be the variables di for which di : D £ H. Wc first choose a finitary type Tq and 
an injection a : Vq Tq (we can use N/j for k > |Vb|). We construct the model M by extending 
the model Mtrivic), choosing values for the variables that satisfy all the constraints. Since the 
constraints are stratified, we choose values for the variables in reverse order. Let Vj G Var' be a 
variable with a declaration Vj : T £ H and assume that we have chosen values for all variables 
in H with j < k. Assign a value to all patterns t all of whose variables have k > j recursively 
as follows: M{{pi,p2)) = {M{pi), M{p2)), M(inl p) = inl M{p), M(inr p) = inr M{p). 

If T is Vx. P for some P, then for each di E Vq we choose a value Wi G M{P{di)) as follows: If 
there is a (unique) constraint Vj{valdi) = ti m H then wc use Wi = M{ti) G M{P{di)) (which is 
defined since values for the variables in pattern ti have already been chosen). Otherwise we choose 
Wi from the non-empty type M{P{di)). Since the values M(di) are all distinct members of the 
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finite type M{D) = Tq, we set the value of vj to be a function of type x : M{D) — )• M{P{x)) that 
maps each M{di) to wi. This function is \ook.wTp{[{M[d.i),Wi)\di G Vq])- 

If T is ^ ^ -B then if there is a (unique) imphes constraint Vj = constant(f) then let w = M{t) 
and choose the constant function Xx.w made tight by applying lemma [21 If there is no constraint 
on Vj then we choose any member of the non-empty type M[A) — > M{B) and make the chosen 
function tight by applying lemma [21 

Otherwise there are no constraints on fj, and Mtrivio'){T) is non-empty by lemma [3l so we may 
choose a value for vj from this type. □ 

Definition 15. An evidence structure is a triple H \= G,evd where 

1. H is an evidence context. 

2. Ge MF{C) . 

3. for every M £ S{C), if M H then M{evd) is consistent with M{G). 

We write t[v := e] for the result of substitution of e for variable v in term t, and we write {H \= 
G,evd)[v := e] for the result of substitution of e for v everywhere in the evidence structure H \= 
G, evd. 

Observation 1. If evd is uniform evidence for a formula € then 

\= ijj, evd 

is an evidence structure. 



5 Derivation rules for evidence structures 

We now define a set of sixteen derivation rules by which we derive evidence structures from evidence 
structures. We will prove that 

1. If H \= G, evd is an evidence structure, then evd computes to evd' that is canonical or has a 
principal argument that is a variable. 

2. H \= G, evd' is an evidence structure that it matches one of the sixteen derivation rules. 

3. This defines a recursive procedure on evidence structures that results in a tree of derived 
evidence structures. 

4. The tree derived from {\= ip, evd) is finite, and from it we can construct a minimal logic proof 
of ijj. 

The first seven derivation rules shown in Figure [H match evidence structures where the evidence 
is in canonical form. 

Definition 16. An evidence derivation rule is valid if for any evidence structure matching the 
pattern above the line, the derived instances below the line are evidence structures. 

Lemma 5. The rules in FigureUl are valid. 

Proof. Since these rules do not add constraints to the context, we only have to prove that the 
derived evidence term is consistent with the derived goal. 
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APAIR, 3PAIR, 

H 1= Gi A G-z- (f rr/i. r rr/2) // |= B.C. G. (evdi.evfh) 



H \= Gi,evdi H \= G2, evd2 H \= G, (valevdi, e'i;(i2) 

3VAL PAIR 

d -.D ^ H \= ^x. G, (vald, evd) {d a variable) 
H\=G[x :=d\,evd 

VINL VINR =>A 

H\=Giy G2, inl evd if ^ d V G2, inr evd H \= Gi ^ G2, Xx.evd 

H\=Gi,evd H\=G2,evd H;x:Gi\= G2,evd 

VA 

H \= My. G, Xx.evd 



H-d:D\= G[y := d],evd 



The bound variable in Xx.evd in RightarrowX is renamed to avoid variables in H and the variable 
d in VA is fresh. 

Figure 1: Rules for evidence structures with canonical evidence. 

For the rule Apair, suppose M \= H, then {evdi,evd2) is consistent with M{Gi A G2). So, 

iM{Gi)xM{G2)i{^'"d'i,evd2)) i 
{Xa.{Xb.{a,b)){va.liM{G2)i(ivd2)))iva.liM{Gi)ievdi)) i ^ 
iM{Gi){evdi) i A iM(G2)(ei'^^2) i 

For the rule A, suppose M \= H;x -.Gi, then Xx.evd is consistent with M{Gi G2). So, 

^M(Gi)-^.M(G2)(''^a;.et;d) I ^ 
graph(Aa.ZM(G2)(e'yc^(a))) i ^ 
Va G M(Gi).ZA^(G2)(eM«)) i ^ 
^M(G2)(e«'^(-^(a^))) i 

The proofs of validity of the other rules for canonical evidence are similar to these. □ 

The remaining rules match evidence that is not in canonical form. If a term is not in canonical 

form but some instance of it will compute to canonical form then the term must have a subterm 
that is a variable and the computation depends on the value of that variable in order to proceed. 
We call such a variable the principal variable and any subterm in such a position a principal subterm 

Definition 17. The principal subterm principal{t) of term t is defined inductively by: 

principal {decide{d;x. a; y.b)) = principal{d) 

principal {spread{p;x,y.b)) = principal{p) 

principal {f {h)) = principal {f) 
principal {f{va\b)) = principalib) 
principal {{val a, b)) = principal (a) 
principalit) = t, otherwise 
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VAR 

Hi;v: G;H2 N G,v 

DECIDE 

Hi; c :AV B; H2 \= G, ew(i(decide(c; x.a; y.b)) 
{Hi;x :A;H2^ G,evd{a))[c := inl x] {Hr,y :B;H2^ G,evd{b))[c := inr y] 

ASPREAD 

Hi;p -.A A B; H2 \= G, d(spread(p; x, y.t)) 
iHv,x:A;y :B;H2 H G,evd{t))[p := {x,y)] 

3SPREAD APPLY CONST 

Hi;p : 3z.P;H2 \= G,evd{sprea.d{p;x,y.t)) f = constant(v) £ H \= G,evd{f{t)) 

{Hi;d:D;y: P[z := x];H2^ G, evd{t))\p := {d, y)] H^G,evdiv) 

=^>APPLY 

^v.f = constant(t;) £ Hi; f : A ^ B; H2 ^ G, evd{[{t)) 
Hi;f:A^B;H2^A,t Hi; f : A ^ B; H2;v : B; f = constant(i;) ^ G,evd{v) 

Vapply apply model 

f :yz.PeH\= G.evdifit)) /(vald) = t£H^ G,evd{f{vald)) 

H \= G,evd{f{valt)) H \= G, evd{t) 

VCBV 

^t. /(vald) = t e i?, {/ :Vz. P,d :L>} C if ^ G, evd{f{vald)) 
H;w :P[z := d];/(vald) = w^ G,evd(w) 

The bound variables, d, x, and y, in rules decide and spread are renamed to avoid variables in H. 
The variables, v and w , introduced in rules apply and cbv new are fresh. 

Figure 2: Rules for evidence structure with non canonical evidence. 

We write t{x) when x is the principal subterm oft{x). 

The rules shown in Figure [2] match on the operator that is applied to the principal variable in 
the evidence. When a fresh variable from Var' is needed, we take the least index greater than all 
the variables already in use. This will guarantee that all the constraints remain stratified. 

Lemma 6. The constraints in the evidence structures derived from the rules in Figure\^are unique, 
stratified constraints. 

Proof. Only the rules =j>apply and Vcbv add new constraints and they apply only when there is 
not already a similar constraint. The constraints are changed only by the rules (decide, spread, 
and =>apply) that substitute a pattern (inl x, inr y, or {x,y)) for a variable. In each case, the 
new variables introduced are fresh, and substituting a pattern for a variable in a pattern results in 
a pattern, so all the constraints remain unique, stratified patterns. □ 

Lemma 7. The rules in Figure \M are valid 

Proof. Because it depends on the restriction to tight models, we consider first the proof of 

APPLY 

^v.f = constant(t;) £ Hi; f -.A ^ B; H2 ^ G, evd{l{t)) 
Hi;f:A^B;H2^A,t Hi; f : A ^ B; H2;v: B; f = constant(i;) ^ G,evd{v) 
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Assume that the structure above the hne is an evidence structure, and let M \=t Hi; f -.A ^ B; H2- 
Then M{evd{f{t))) is consistent with M{G). Since ijvf(G) is strict, this implies that M{t) is in the 
domain of M{f) and since M is tight, M{t) is consistent with M{A). This proves the validity of 
the first derived structure Hi, f : A ^ B; H2 \= A,t 

If M \=t Hi; f : A ^ B; H2; v : B; f = constant(i;) then the model M is also a tight model 
of Hi;f : A ^ B;H2 so M{evd{f{t))) is consistent with M{G) and this implies that M{evd{v)) 
is consistent with M{G) because M{f{t)) must converge to M{v). This proves the validity of the 
second derived structure and finishes the proof of the rule ^apply 

Consider next the rule 

Vcbv 

^t./(vald) = t € :Vz.P,d :£>} C ^ G, ei;d(/(val d)) 

H;w -.Plz := d]; /(vald) = w \= G,evd{w) 

If M \=t H;w : P[z := d];f{va\d) = w then M \=t H and because M{D) is a value type, 
M{f{vald)) = M{f{d)) = M{w) e M{P{d)). Since M(et;d(/(val d))) is consistent with M(G) 
and iM{G) is strict, this implies that M[evd{w)) is consistent with M{G). So Vcbv is a valid rule. 
Consider next the rule 

E3SPREAD 

Hi;p : 3z.P;H2 \= G, ew(i(spread(p; x, y.t)) 
{Hi;d:D;y := x]; i^s N G, evdmp := {d, y)] 

If M \=t {Hi;d:D;y :P[z := x\;H2)\p := {d,y)] then the model 

M' = M[p:= {M{d),M{y))] 

is a tight model of Hi;p : 3z.P;H2, so M'{evd{spread{p;x,y.t))) is consistent with M'{G). This 
implies that M{evd{t))\p := {d,y)]) is consistent with M~{G) = M{G). 

The proofs for the validity of the remaining rules are similar to these. □ 

Lemma 8. If H \= G,evd is an evidence structure, and evd' is obtained by computing evd until it 
is canonical or has a principal variable, then H \= G, evd' is an evidence structure. 

Proof. If M \=t H then M{evd) is consistent with M{G) so {iM{G){^'vd) i). This implies {iM(G){^'vd') J, 
) since the computations are the same. □ 

Lemma 9. If H \= G, evd is an evidence structure, and evd is canonical or a principal variable, 
then H \= G, evd matches one of the sixteen rules in Figure [I] and Figure 

Proof. By Lemma |4] there is a tight model M \=t H. Thus, M{evd) is consistent with M{G). If 
evd is canonical, then H \= G, evd must match one of the rules in Figured because the type M{G) 
must be a product, union, or function type. 

If evd has a principal variable v then v : T & H for some T € A4J-{C) and M{v) € M(T). 
Since v is principal and iM{G) is strict, the computation iM(^Q-^{M{evd)) must reduce the subterm 
of M{evd) containing M{v). Since M(T) must be a product, union, or function type, only a spread, 
decide, apply, or call-by- value apply redex can apply. Therefore one of the rules in Figure [2] must 
match H \= G, evd. □ 

The preceding lemmas show that there is a well defined procedure that starts with the evi- 
dence structure (|= ip,evd) constructed from uniform evidence for tp and recursively builds a tree 
of evidence structures by alternating computation of evd until it is canonical or has a principal 
variable with matching the evidence structure against the sixteen derivation rules and applying the 
derivation. 



14 



It is routine to check that each derivation corresponds to a proof rule of minimal logic. In our 
implementation of the proof procedure (shown in the Appendix) we need only the evidence term 
evd and the constraints (which we call the "model" ) because the typing and the goal are just the 
current hypotheses and goal of the sequent being proved. From this information the recursive Nuprl 
tactic decides which derivation rule to apply (or that it needs to compute the evidence term) and 
then updates the evidence and constraints and uses one of the primitive logical rules to get the 
next typing hypotheses and next goal term. 

Our Theorem [T] is proved once we establish that the recursive procedure terminates. 

6 Termination of the Proof procedure 

We first show termination under the assumption that evd is fully normalized, which will establish 
Theorem [2j 

Lemma 10. // evd is fully normalized then the evidence structure generation procedure terminates. 

Proof. Let nc{evd) be the number of occurrences of decide, spread, or apply operators in term 
evd. Let cbv{evd) be the number of occurrences of the call- by- value apply operator. Let npr{evd) 
be the number of occurrences of the {x, y) operator . Let cn{evd) be the number of occurrences of 
the (valx,y), inl x, or inr y operators . 

We prove termination by induction on the lexicographically ordered tuple 

{nc{evd),chv{evd).,npr{evd),cn{evd)) 

Each rule in Figure [1] changes evd to a subterm of evd and removes at least one of the counted 
operators except for rule 3pair which changes a into a (val3;,y), so the measure decreases in 

each of these steps. 

Some of the rules in Figure [2] reduce the measure by replacing a subterm of evd that includes a 
decide, spread, or apply operator by a variable and then substituting a pattern into the result. 
This reduces the nc{evd) count and may increase only the npr{evd) and cn{evd) counts because 
patterns have only {x, y) , inl x, or inr y operators . Thus, in every case it is easily checked that 
the measure decreases. 

It remains to show that in the computation steps that compute evd until it is canonical or has 
a principal variable we can in fact fully normalize the evidence term and that this will not increase 
the measure. 

If evd is fully normalized, then the only rules which derive evidence that may not be fully 
normalized are those that substitute a pattern. The resulting term evd' , which has some pattern 
ptn in some places where evd had a variable, can contain only spread, decide, apply, or call-by-value 
apply redexes. When these are reduced, they result only in sub-patterns of ptn being substituted for 
variables. Thus, by induction on the size of ptn we can show that normalization of evd' terminates 
and does not increase the measure. □ 

The proof of termination for the general case where evd is not assumed to be fully normalized 
uses Brouwer's Fan Theorem. For that proof we need the following definitions and lemmas. 

Definition 18. A derivation rule is constant domain if it does not add a new variable di : D to 
the derived contexts. 

All of the derivation rules in Figures [1] and [2] are constant domain except for the rules VA and 

3SPREAD. 

Definition 19. A derivation is a ip-deriviation if it is an instance of one of the derivation rules 
where the formulas in the context H and goal G are instances of suhformulas of ip. 



15 



Definition 20. Context H' is a constant domain i/'-cxtcnsion of context H (written H H') 
if H' can he obtained from H by applying ip -derivations that are instances of constant domain 
derivation rules. 

Context H is a maximal V'-context if there is no proper H' with H H' . 

Lemma 11. For any formula i/j G MJ^{C), and any context H there are only finitely many H' 
such that H H' 

Proof. Let Dq be the set of variables di : D & H. Repeated application of the constant domain 
V'-derivations will add new declarations and constraints v :P{d); /(vald) = v for all the universally 
quantified declarations / : Vx. P(x) and every d E Dq. These new declarations will in turn be 
instantiated with every d £ Dq . Any declarations of the form v : AV B will generate two derived 
extensions where v is replaced by either inl x for x : A oi by inr y for y : B. Declarations of the 
form p :AAB will be replaced hy x :A;y -.B and p replaced by {x, y). Every subformula of '0 may 
be added to the context with its free variables replaced by members of Dq. But for a finite Dq and 
fixed formula there are only finitely many such extensions. □ 

Corollary 3. For any context H there is a finite, non-empty set of maximal '^-contexts H' such 
that H H' 

Definition 21. The one step ■^-extension of H is obtained from H by adding di : D for the least 
i € N for which d-i is not in H , then applying the Bspread rule to add new domain elements for 
every existentially quantified formula in H. 

Context H' is a next ■0-extension of H if it is a maximal constant domain if) -extension of the 
one step ip-extension of H. 

SM{'ijj), the spread of symbolic models of ip is the tree with the empty context at the root and 
the successors of node H being the next ip- extensions of H. 

An infinite path through SA4{'iIj) describes a freely-chosen model M with M{D) = Var. In this 
model the evidence term evd must compute evidence for M('0) and we use the termination of this 
computation to bar the spread SM{ip). Brouwer's Fan Theorem then gives a uniform bar and this 
implies that our proof procedure terminates on evd and produces a minimal logic proof of ip. 

Definition 22. Let a be an infinite path in SAii^ip). The computation c{a,ip,evd,n) where n > 0, 
is defined by computing evd in the context a{n) (a maximal context along path alpha) to a term 
evd' that is canonical or has a principal variable. The computation proceeds by cases: 

• if evd' is a variable v and v -.ip is in the context then halt and return n. 

• If evd' is inl evdi and ip = ipi\/ ip2 then the computation proceeds with c{a,tpi,evdi,n). 

• // evd' is inr evd2 and ip = ipi\/ ip2 then the computation proceeds with c(a, ip2, evd2,n). 

• If evd' is {evdi,evd2) andip = ipiA'ip2 then return the maximum of the dovetailed or sequential 
computation of both c{a,tpi,evdi,n) and c{a,ip2,evd2,n). 

• If evd' is Xx. evdi and ip = ipi =^ ip2 then since the context a{n) is maximal there is a 
declaration v -.ipi, so proceed with c{oi,ip2,evd\[x := v\,n). 

• // evd' is Xx. evdi cind ip = \/x.ip2 then m a(n + 1) a fresh dj : D was added so proceed with 
c{a,ip2[x := dj],evdi[x := dj],n-\- 1). 

• // evd' has a principal variable v that is the argument to a decide operator, then the maximal 
context specifies that v = inl x or v = inl y, so replace v and proceed with the computation. 
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• // evd! has a principal variable v that is the argument to a spread operator, then if the 
maximal context specifies that v = {x,y) replace v and proceed with the computation (this 
must happen if v :AaB in the context). Otherwise, if v ■.3z.P{z) in the context then in the 
next context, a{n + 1), v will be replaced by a pair {dj,w) where dj .D is new and w ■.P{dj), 
so replace v by {dj,v) to get evd" and proceed with c{a,^,evd" ,n + 1). 

• If evd' has a principal variable v where the principal subterm is v{dn) then dn '■ D is in the 
context, and since the context is maximal there is a constraint v[dn) = w in the context, so 
replace the subterm v[dn) with w and proceed with the computation. 

• Otherwise abort the computation. 

Lemma 12. // evd is uniform evidence for then the computation c{a, ip, evd, n + 1) converges. 
Proof. Any path a through SA4{^) defines a model M m which evd G M{'ip) □ 
Corollary 4. The proof procedure terminates and this establishes Theorem {1\ 

Proof. For any a, the computation n = c(a, tp, evd, 1) converges. This defines a bar on the fan 
SM{^p). By Brouwer's theorem, there is a uniform bar A'^. The length of any branch in the tree of 
evidence structures produced by the proof procedure is bounded by c(a, ^p, evd, 1) for some path a. 
Thus the height of the tree of evidence structures is bounded by N. Since it is finitely branching, 
it is finite. □ 

We have implemented the proof procedure as a tactic in Nuprl and tested it on a number of 
examples. We can construct evidence terms from the extracts of Nuprl proofs or construct them 
by hand. We can then modify the evidence terms using any operators we like so that the resulting 
term is computationally equivalent to the original. Thus we can introduce abbreviations (which is 
equivalent to using the cut rule) and use operators such as vri and 7r2 (which Nuprl displays as f st 
and snd as in ML) and (if c then a else b) that are defined in terms of the primitive spread and 
decide operators. In appendix [8] we show one such example and describe the implementation of 
the tactic. 



7 Observations and Corollaries 

If evdi is uniform evidence for ipi and evd2 is uniform evidence for ipi ^ tp then the application 
evd2{evdi) is uniform evidence for tp. This observation gives us a semantic proof of cut elimination 
for first order minimal logic. 

Lemma 13. If ip ^ A4J-{C) is provable in minimal logic with the cut rule (\~mlc V'J then \-ml V' 

Proof. The evidence term extracted from the proof \~mlc ^ is uniform evidence for -0. ByTheo- 
remlH ^ml ip □ 
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8 Appendix 



h V[A,D:Type]. V[R,Eq:D ^ D ^ P] . 

((Vx,y,z:D. (R[x;y] ^ (R[y;z] V Eq[y;z]) R[x;z])) 
^ (Vx:D. (R[x;x] ^ A)) 
^ (Vx:D. 3y:D. R[x;y]) 

(3m:D. Vx:D. ((Eq[x;m] A) R[x;m])) 
A) 

BY EvidenceTac '^ATrans , Irr ,Unbdd,MxEx. 

let m = fst(MxEx) in 
let bounds = snd(MxEx) in 
let y,ygtr = Unbdd m 
in let loop = Trans m y m ygtr in 
let F = Ax.drr m (loop x)) in 
F (inl (bounds y (Aeq. (F (inr eq )))) ) 

THEN A Auto 



Figure 3: Example minimal logic proof from evidence 

This example shows how equality can be represented as an atomic relation symbol. The formula 
states (in minimal logic) that an irreflexive, transtitive relation that is unbounded cannot have a 
maximal element. We have introduced a number of abbreviations into the evidence term to illustrate 
the fact that the proof procedure does not require normalized terms. 

The tactic EvidenceTac is shown in Figure HI It uses the evidence to generate the proof. In 
Nuprl, some of the primitive rules of minimal logic (hypothesis, and, or, implies, forall, exists 
introduction and elimination) create auxilliary subgoals to show that the rules have been applied 
to well-formed propositions. In the proof in Figure [3] the tactic THENA Auto is used to prove these 
auxilliary goals. 

let EvidenceTac evd = 

— helper functions here — 
letrec evdProofTac M evd p = 
let op = opid_of _term evd in 

if member op ''variable pair inl inr lambda'' then 
canonical op M evd p 

else 

let t = get_principal_arg_with_context evd in 
if is_variable_term (subtermn 1 t) then 
let op = opid_of _term t in 

if member op ''spread decide callbyvalue apply'' then 

noncanonical op t M evd p 
else (AddDebugLabel 'arg not reducible' p) 
else let evd' = apply_conv (ComputeToC [] ) evd in 
if alpha_equal_terms evd' evd then Id p 
else evdProofTac M evd' p 

in Repeat UniformCD 

THEN evdProofTac [] evd 



Figure 4: Tactic code for Proof from Uniform Evidence 
The basic structure of the tactic is to take off the uniform quantifiers and then start the proof 
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procedure from evidence. If the evidence is canonical it uses one of the rules for that case, otherwise 
if there is a principal variable it uses one of the rules for non-canonical evidence, and otherwise it 
computes the evidence term. The helper code include the tactic for taking off a uniform quantifier, 

let UniformCD p = if is_term 'uall' (concl p) 
then (D THENA Auto) p 
else Fail p in 
let mk_cbv_pair tl t2 = 

subst ['x' ,tl; 'y' ,t2] ^let a := x in 
<a, y>^ in 

let mk_cbv_ap fun arg = 

subst [' arg' ,arg; 'f ' ,f un] '^let a := arg in 

f a^ in 

let do_update v pattern redex result evd M = 
let sub = [v, pattern] in 

subst sub (replace_subterm redex result evd) , 

map (\(ap,val). (ap, subst sub val)) M in 
let lookup M t = 

let test (ap, val) = 

if alpha_equal_terms ap t then val else fail in 
inl (first_value test M) ? inr () in 



Figure 5: Code for helper functions 

functions for forming the call- by- value pair and apply terms, and code for substituting a pattern 
into the evidence and constraints (here called the model) in order to eliminate a redex from the 
non-canonical evidence. The lookup function checks for the existence of a constraint on a given 
apply term from the evidence. 

canonical op M evd p = 
if op = 'variable' then 

let X = dest_variable evd in 

let n = get_number_of .declaration p x in NthHyp n p 
else if op = 'pair' then 

let evdl,evd2 = dest_pair evd in 
if is_term 'and' (concl p) then 

(D THENL [evdProofTac M evdl; evdProofTac M evd2] ) p 
else if is_term 'variable' evdl then 

(With evdl (D 0) THENM (evdProofTac M evd2)) p 
else (evdProofTac M (mk_cbv_pair evdl evd2) ) p 
else if op = 'inl' then 

(OrLeft THENM (evdProofTac M (dest_inl evd))) p 
else if op = 'inr' then 

(DrRight THENM (evdProofTac M (dest_inr evd))) p 
else let x,t = dest_lambda evd in 

let z = maybe _new_var x (declared_vars p) in 

let evdl = if z = X then t else subst [x, mvt z] t in 

SeqOnM [D ; RenameVar z (-1) ; evdProofTac M evdl] p 



Figure 6: Code for canonical evidence 

The code for the canonical case comes from the rules in Figure[TJ In each case, the corresponding 
proof rule of the logic is invoked with the tactic D 0. To make life easier for the users, Nuprl has 
organized all the primitive rules into one tactic named D (for decompose). The number indicates 
that we are applying a primitive rule to decompose the conclusion of the sequent rather than one 
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of the hypotheses. This is because the canonical evidence always indicates that the next proof step 
is an introduction rule. 

noncanonical op t M evd p = 
if op = 'spread' then 

let tl.bt = dest_spread t in 
let V = dest_variable tl in 
let [x;y] ,body = rename_bvs p bt in 
let pattern = mk_pair_term (mvt x) (mvt y) in 
let evdl, M' = do_update v pattern t body evd M in 
let n = get_nuinber_of .declaration p v in 
Seq [D n 

; RenameVar x n 
; RenameVar y (n+1) 
; evdProofTac M' evdl] p 
else if op = 'decide' then 

let tl, btl, bt2 = dest_decide t in 
let V = dest_variable tl in 
let [x], easel = renaine_bvs p btl in 
let patternl = mk_inl_term (mvt x) in 
let evdl, Ml = do_update v patternl t easel evd M in 
let [y],case2 = rename_bvs p bt2 in 
let pattern2 = mk_inr_term (mvt y) in 
let evd2, M2 = do_update v pattern2 t case2 evd M in 
let n = get_number_of .declaration p v in 
(D n THENL [ RenameVar x n THEN evdProofTac Ml evdl 
; RenameVar y n THEN evdProofTac M2 evd2 
]) P 

else if op = ' callbyvalue ' then 

let kind, arg, ( [x] , B) = dest_callbyvalue t in 

let B' = subst [x, arg] B in 

evdProofTac M (replace_subterm t B' evd ) p 
else apply_case t M evd p 



Figure 7: Code for non-canonical evidence 

The code for the non-canonical case comes from the rules in Figure [21 In these cases we use an 
elimination rule, indicated by the fact that the tactic calls on D n where n is the hypothesis number 
for the declaration of the principal variable. The code for the apply case is shown in Figure [8j 
When the type of the declared variable (T = h n p) is an implies we use the rule =>apply that 
adds a constraint that the declared function is a constant function. In this implementation we 
substitute the constant function for the variable and eliminate it entirely. We can prove that this 
results in behavior that is equivalent to the derivation rules. 
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apply_case t M evd p = 

let fun,arg = dest_apply t in 

let V = dest_variable fun in 

let n = get_number_of .declaration p v in 

let T = h n p in 

if is_term 'implies' T then 

let X = maybe_new_var 'x' (declared_vars p) in 
let pattern = mk_lainbda_term 'z' (mvt x) in 
let evdl, M' = do_update v pattern t (mvt x) evd M in 
((D n THEN Fold 'implies' n) 
THENL [ evdProofTac M arg 

; RenameVar x (-1) THEN evdProofTac M' evdl]) p 
else if is_term 'all' T then 
if is_variable_term arg then 
let w = dest_variable arg in 
let ans = lookup M t in 
if isl ans then 

evdProofTac M (replace_subterm t (outl ans) evd) p 
else 

let X = maybe_new_var 'x' (declared_vars p) in 
let evdl = replace_subterm t (mvt x) evd in 
let M' = (t , (mvt x)).M in 
(SimplelnstHyp arg n THENM 

(Seq [ RenameVar x (-1); evdProofTac M' evdl])) p 
else let evd' = replace_subterm t (mk_cbv_ap fun arg) evd in 
evdProofTac M evd' p 
else (AddDebugLabel 'fun in apply has wrong type' p) 



Figure 8: Code for apply case of non-canonical evidence 
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